PCI’s Money Making Cash Cow, ISA Program, Not So Good for the Industry
The level of scrutiny the PCI DSS has been subject to the last couple of years has been bad enough to further accentuate it with the advent of the ISA program.
I have written about the pros and cons of the ISA program before, but now that it is really starting to take off the cons strongly outweigh the pros.
First and foremost, the false sense of confidence the ISA program is giving individuals is insanely bad for the industry. Like any other industry certification, the ISA test isn’t difficult (Yes, CISSP and CISA I’m calling you out here).
I’ve seen individuals with very little information security experience pass this test and as a side effect, *think* they know everything there is to know about the PCI DSS.
As a result, two things occur. First, the ISA actually believes they have the right to now bully their QSA when it comes to scoping, sampling, documentation, etc. The issue is, unless you have actually been a QSA and have performed multiple assessments for different sized organizations across different industries, you don’t have the experience to bully anyone.
This is the equivalent of Jeremy Lin trying to bully Kobe Bryant. As an experienced QSA, we just prefer you to take notes and learn during the assessment time frame as knowledge transfer is going to be the most valuable to you.
Secondly, just because you have ISA appended to the end of your name does not make you a security expert. This is no different than having a CISSP or QSA appended to the back of your name. I don’t consider myself super religious, but I do find myself frequently asking God to stiffen the requirements on industry certifications.
Not only will this provide needed assurance of the qualifications of the person you are talking too, but it will start to provide some serious value of having the CISSP, as it once did. This will in turn provide C Level executives the trust they need in our guidance and how we are spending budgetary dollars within the organization.
Hell, it may even allow for us to get more than 5% of IT’s annual budget each year for Information Security related items (hey….I can be an optimist).
Finally, I have yet to talk to an ISA that has not been influenced by company politics. When I actually have to argue with an ISA about a black and white requirement such as whether or not call recordings with cardholder data is in-scope or not, it tells me one of two things: A) either the ISA is being influenced by company politics to keep call recordings and the associated environment out-of-scope or B) the ISA does not understand the requirements well enough to actually have a coherent argument.
Most times it the former of the two and in all actuality, it’s probably a combination. This is scary considering the ISA, in some cases, can actually perform the Report-on-Compliance for the organization without the help of an experienced QSA. What regulation other than maybe EU Safe Harbor certification allows an organization to self-attest to a compliance mandate? That, as the kids are calling it now days, is Cray Cray (aka. Crazy).
In conclusion, I am not saying the ISA program doesn’t have its place. This blog is also not an attack on ISAs around the world. I am all for educating individuals on the PCI DSS. In fact, who knows, maybe someday I will also be an ISA. All I’m saying is that if you are an ISA, unless you have actually performed assessments before, please do not automatically assume you know what you are talking about.
Humble yourself and learn from those of us that actually have been in this line of work for a very long time. Also, adhere to your auditing code-of-ethics and don’t get caught up in someone else’s political agenda.
Remember the intent of your job. In case you have forgotten, let me remind you, is to ensure your organization is meeting the intent of the PCI DSS and ultimately protecting cardholder data.
- Andrew (@aweidenhamer)